Back to skill

Security audit

Confluence

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Confluence helper skill whose credential use and page-management commands match its stated purpose.

Install only if you trust the confluence-cli npm package and are comfortable granting it access to your Confluence account. Treat the Atlassian API token and ~/.confluence-cli/config.json as sensitive, avoid sharing them in logs or screenshots, and confirm targets before running create or update commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly instructs users to generate an Atlassian API token and configure the CLI, and it notes that configuration is stored at ~/.confluence-cli/config.json, but it provides no warning that this token is a sensitive credential that may persist unencrypted on disk. That omission increases the risk of accidental credential exposure through local compromise, backups, shared machines, or careless handling of the config file.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill includes create and update commands that directly modify remote Confluence content, but it does not clearly warn users that these actions are state-changing and may overwrite or publish content in a production workspace. In an agent context, unclear separation between read-only and write operations can lead to unintended data modification, defacement, or disruption of internal documentation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.